Privacy Policy
Last updated: March 24, 2026
Effective: March 24, 2026
1. Introduction
True North Mail ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
This Policy applies to all users globally and includes specific provisions for EU/EEA residents (GDPR) and California residents (CCPA/CPRA).
2. Our Privacy Commitment
Unlike traditional email providers, we believe your email should remain private:
- No email scanning for ads: We never scan your emails to serve advertisements
- No data selling: We never sell your personal information to third parties
- Encryption: Your sensitive data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Data minimization: We only collect what we need to provide the Service
- No AI training: We do not use your email content to train AI models without your explicit consent
3. Data We Collect
3.1 Account Information (via Clerk)
- Full name and email address
- Company name and domain
- Account creation date and last login timestamp
- Profile settings and preferences
3.2 Email Data
- Email content: Subject lines, message bodies, and attachments, stored encrypted in AWS S3
- Email metadata: Sender, recipients, CC/BCC, timestamps, message ID, headers, stored in AWS DynamoDB
- Delivery data: Delivery status, bounce records, complaint notifications from AWS SES
3.3 Billing Information (via Stripe)
- We do not store full credit card numbers or CVV codes
- Stripe stores payment instrument data; we receive last 4 digits, card type, and expiry month/year
- Billing address and transaction history (for tax/legal compliance)
3.4 Usage and Technical Data
- IP addresses and approximate geolocation (country/region)
- Browser type and version, operating system
- Pages visited, features used, time spent (aggregated analytics)
- API access logs, error logs, and security event logs
- Storage consumption metrics
3.5 Communications
- Support tickets and correspondence with our team
- Feedback and feature requests you submit
4. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Providing the email service | Email content, metadata, account data | Performance of contract (6(1)(b)) |
| Authentication and account management | Account data (via Clerk) | Performance of contract (6(1)(b)) |
| Processing payments | Billing data (via Stripe) | Performance of contract (6(1)(b)) |
| Security and fraud prevention | Logs, IP addresses, usage patterns | Legitimate interests (6(1)(f)) |
| Legal compliance and record-keeping | Billing records, logs | Legal obligation (6(1)(c)) |
| Product analytics and improvement | Aggregated usage data | Legitimate interests (6(1)(f)) |
| Transactional emails | Email address | Performance of contract (6(1)(b)) |
| Marketing emails | Email address | Consent (6(1)(a)), opt-in only |
| AI-powered features (if enabled) | Email content (user-activated only) | Consent (6(1)(a)) |
5. Data Storage and Security
5.1 Infrastructure
- Primary region: AWS us-east-1 (Northern Virginia, USA)
- Email content: AWS S3, encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Metadata & account data: AWS DynamoDB, encrypted at rest, access-controlled via IAM
- Authentication: Clerk (managed service with SOC 2 Type II certification)
5.2 Security Measures
- All data in transit protected by TLS 1.2 or higher
- Encryption at rest for all storage systems (AES-256)
- Least-privilege access controls for internal systems
- Regular security reviews and vulnerability assessments
- Multi-factor authentication available for all accounts
5.3 Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach (as required by GDPR Article 33). We will also notify the relevant supervisory authority as required by law.
6. Third-Party Data Processors
We share data with the following processors solely to provide the Service. All processors are bound by Data Processing Agreements (DPAs):
| Processor | Purpose | Location | Certification |
|---|---|---|---|
| Amazon Web Services (SES, S3, DynamoDB) | Email processing, delivery, storage | USA (us-east-1) | AWS DPA + SCCs |
| Stripe | Payment processing and billing | USA | Stripe DPA + SCCs |
| Clerk | User authentication and identity | USA | Clerk DPA + SCCs |
| OpenAI | AI features (only if user-activated) | USA | OpenAI DPA + SCCs |
We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.
7. Your Rights
7.1 Rights Available to All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated personal data
- Opt-out: Unsubscribe from marketing emails at any time
7.2 Additional Rights for EU/EEA Residents (GDPR)
- Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format (JSON/CSV)
- Restriction of Processing (Art. 18): Request we limit how we use your data in certain circumstances
- Object to Processing (Art. 21): Object to processing based on legitimate interests
- Withdraw Consent (Art. 7): Withdraw consent at any time for consent-based processing (e.g., marketing, AI features)
- Not be subject to automated decisions (Art. 22): We do not make solely automated decisions with legal or significant effects
- Lodge a Complaint: With your local data protection authority (DPA). For UK users: ICO (ico.org.uk); for EU users: your national DPA
7.3 Additional Rights for California Residents (CCPA/CPRA)
- Know what personal information we collect, use, disclose, and sell
- Delete personal information we have collected (with exceptions)
- Correct inaccurate personal information
- Opt-out of the sale or sharing of personal information. We do not sell or share personal information.
- Non-discrimination for exercising your privacy rights
How to exercise your rights: Email privacy@truenorth.email with subject "Privacy Request." We will verify your identity and respond within 30 days (EU: within 1 calendar month, extendable by 2 additional months for complex requests with notice).
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Email content (S3) | Duration of account + 30 days post-cancellation |
| Email metadata (DynamoDB) | Duration of account + 30 days post-cancellation |
| Account data (Clerk) | Duration of account + 30 days post-cancellation |
| Billing records (Stripe) | 7 years (tax/legal obligation) |
| Security & access logs | 90 days rolling |
| Support communications | 2 years from last interaction |
| Aggregated analytics | Indefinite (no personal data) |
Upon account deletion: personal data is removed from production systems within 30 days and from all backup systems within 90 days.
9. Cookies and Tracking
| Category | Purpose | Can Disable? |
|---|---|---|
| Strictly Necessary | Session management, security (CSRF), load balancing | No |
| Analytics | Aggregated page views and usage statistics | Yes (cookie banner) |
| Marketing | Retargeting and ad conversion tracking | Yes (opt-in only; disabled by default for EU users) |
EU/EEA visitors are presented with a cookie consent banner (PECR/ePrivacy compliant) on first visit. Consent is stored and can be withdrawn at any time via the cookie preferences link in the footer. No third-party advertising trackers are loaded within the authenticated application.
10. International Data Transfers
True North Mail is based in the USA. If you are located in the EU/EEA or UK, your personal data is transferred to the USA. We rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): European Commission Decision 2021/914, incorporated into our DPAs with AWS, Stripe, Clerk, and OpenAI
- EU-US Data Privacy Framework: AWS and Stripe participate in the EU-US DPF (certified)
- UK International Data Transfer Agreements (IDTAs): For transfers from the UK
11. Children's Privacy
True North Mail is a business service not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@truenorth.email and we will promptly delete it.
12. Changes to This Policy
- We will notify you of material changes to this Policy via email at least 14 days before they take effect
- For minor clarifications that do not affect your rights, we may update the Policy without prior notice
- The date of the last update is shown at the top of this page
- Archived versions will be available upon request
13. Contact and Data Controller
Data Controller: True North Mail
Privacy inquiries: privacy@truenorth.email
EU Representative / DPO: dpo@truenorth.email
Security issues: security@truenorth.email
For EU residents: If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.